cancel
Showing results for 
Search instead for 
Did you mean: 

CLI question..

Jump to solution

is it possible to create a rulegroup via the cli?  I am having trouble accessing a remote firewall via the admin console,

I have created the ruleset I need via SSH, but to need to create a rule group, can I do that via the command line?

cf policy help does not indicate if this can be done.


1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticatorSmiley Tongueassword authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticatorSmiley Tongueassword authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

4 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: CLI question..

Jump to solution

You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticatorSmiley Tongueassword authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticatorSmiley Tongueassword authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \

Re: CLI question..

Jump to solution

Thank you, I was able to create the rulegroup and make it match our other firewall configurations.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 5

Re: CLI question..

Jump to solution

Good to hear!  May I close the support ticket you opened for this issue?

Re: CLI question..

Jump to solution

Yes

Thank You...

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.